A database stores a document as a plurality of encrypted records, where each record is indicative of an incremental change to the state of the document, and encrypted using a document key. The document key is stored with encryption decryptable using a group key, and the group key is stored with encryption decryptable using a first access key. In response to a request to rotate from the first access key to a second access key, the database decrypts the group key using the first access key, a stores a group key re-encrypted with the second access key.
Legal claims defining the scope of protection. Each claim is shown in both the original legal language and a plain English translation.
4. The system of claim 1, wherein, prior to receiving the first or second client-managed access keys, the document key is stored with encryption decryptable using a default group key, and stores the default group key with encryption decryptable using a default access key.
This invention relates to a secure document management system that enhances access control by using client-managed access keys alongside a default group key structure. The system addresses the challenge of securely sharing documents within a group while allowing individual users to manage their own access permissions. The system stores a document key, which is used to encrypt and decrypt the document, in a state that can initially be decrypted using a default group key. This default group key itself is encrypted and stored using a default access key. When a user requests access to the document, the system provides the user with a client-managed access key, which can then be used to decrypt the default group key. Once the default group key is obtained, it can decrypt the document key, allowing the user to access the encrypted document. This approach ensures that document access is initially controlled by the default group key, but individual users can later manage their own access through client-managed keys. The system dynamically adjusts access permissions without requiring centralized control, improving flexibility and security in document sharing environments. The use of layered encryption with default and client-managed keys provides a robust framework for managing access rights in collaborative settings.
5. The system of claim 1, wherein rotation from the first client-managed access key to the second client-managed access key is accomplished without re-encryption of the plurality of encrypted records.
This invention relates to a system for managing access keys in a data storage environment, specifically addressing the challenge of securely rotating access keys without requiring re-encryption of stored data. The system enables a client to transition from a first client-managed access key to a second client-managed access key while maintaining the integrity and security of encrypted records. The rotation process is designed to avoid the computational and operational overhead associated with re-encrypting each record, ensuring seamless key updates without disrupting data availability. The system leverages cryptographic techniques to facilitate this key rotation, allowing the second access key to decrypt records originally encrypted with the first key. This approach minimizes downtime and resource consumption, making it suitable for large-scale data storage systems where frequent key rotation is necessary for security compliance or policy updates. The invention ensures that encrypted data remains accessible throughout the rotation process, enhancing security without compromising performance.
7. The method of claim 6, wherein a record, of the plurality of encrypted records, comprises information indicative of an incremental change to the document.
This invention relates to systems for managing encrypted records of documents, particularly focusing on tracking incremental changes to documents in a secure manner. The method involves storing a plurality of encrypted records, where each record contains encrypted data derived from a document. At least one of these records includes information indicating an incremental change to the document, such as modifications, additions, or deletions. The method ensures that changes to the document are recorded in a way that maintains the integrity and confidentiality of the data. The encrypted records may be stored in a distributed ledger or blockchain, where each record is linked to a previous record, creating a tamper-evident chain of changes. The system may also include a verification process to confirm the authenticity and consistency of the records. This approach is useful in applications requiring secure and auditable document versioning, such as legal, financial, or healthcare records management. The method ensures that document changes are tracked without exposing the underlying data, providing both security and accountability.
9. The method of claim 6, wherein subsequent to the rotation, the database document cannot be accessed by the database without authorization to use the second access key.
A system and method for securing database documents involves rotating access keys to control document accessibility. The method addresses the problem of unauthorized access to sensitive data stored in databases by dynamically managing access permissions through key rotation. Initially, a database document is associated with a first access key, allowing authorized users to access the document. Upon triggering a rotation event, such as a security breach or scheduled update, the system generates a second access key and updates the document's access permissions. The document is then associated with the second access key, rendering the first key invalid. After rotation, the document cannot be accessed without authorization to use the second access key, ensuring that only users with the updated key can retrieve the document. This method enhances security by periodically invalidating old keys, reducing the risk of unauthorized access. The system may also include mechanisms to revoke or expire keys, further strengthening security controls. The key rotation process can be automated or manually triggered, depending on the security policies in place. This approach is particularly useful in environments where data sensitivity requires frequent access control updates.
15. The non-transitory computer-readable storage medium of claim 14, wherein decrypted content of the database item becomes inaccessible to the database in response to revocation, by a client, of authorization to use the second access key.
A system and method for secure database access control involves encrypting database items using a first access key and a second access key, where the second access key is derived from a master key and a client-specific identifier. The system stores the encrypted database items in a database and provides access to authorized clients by decrypting the items using the second access key. The system includes a key management module that generates and manages these keys, ensuring that only authorized clients can access the encrypted content. The key management module can revoke access by invalidating the second access key, making the decrypted content of the database item inaccessible to the database. This approach enhances security by ensuring that even if the database is compromised, unauthorized parties cannot access the decrypted content without the proper access keys. The system is particularly useful in environments where sensitive data must be protected from unauthorized access, such as financial institutions, healthcare providers, or any organization handling confidential information. The revocation mechanism allows for immediate termination of access if a client is no longer authorized, further strengthening security.
16. The non-transitory computer-readable storage medium of claim 14, wherein one or more records are added to the plurality of records, the one or more records stored using encryption decryptable using the document key.
The invention relates to secure data storage and retrieval systems, specifically addressing the challenge of protecting sensitive information in databases while ensuring authorized access. The system involves a database containing a plurality of records, each encrypted using a unique document key. The document key is derived from a master key, which is itself encrypted using a user-specific key. This hierarchical encryption structure ensures that only authorized users with the correct user-specific key can decrypt the master key, which in turn allows decryption of the document keys and, consequently, the records themselves. The invention further includes a method for adding new records to the database. When new records are added, they are encrypted using the document key associated with the relevant document. This ensures that all records within a document remain uniformly encrypted and accessible only to users with the appropriate access permissions. The system enhances security by isolating encryption keys at different levels, minimizing exposure of sensitive data even if one layer of encryption is compromised. The invention is particularly useful in environments requiring high levels of data protection, such as financial institutions, healthcare providers, or government agencies handling classified information.
18. The non-transitory computer-readable storage medium of claim 14, wherein the group key is decrypted using a remote cryptographic services provider.
A system and method for secure group communication involves managing cryptographic keys to enable encrypted data exchange among multiple devices. The invention addresses the challenge of securely distributing and managing group keys in a decentralized manner, ensuring that only authorized participants can access shared data while minimizing computational overhead on individual devices. The system includes a key management module that generates and distributes group keys to authorized devices, allowing them to encrypt and decrypt shared data. The key management module may use a remote cryptographic services provider to decrypt the group key, offloading the decryption process from the local device to a trusted third-party service. This approach enhances security by leveraging specialized cryptographic infrastructure while reducing the computational burden on individual devices. The system may also include mechanisms for key rotation, revocation, and access control to maintain security as group membership changes. The invention is applicable in secure messaging, collaborative applications, and distributed systems where multiple parties need to share encrypted data efficiently.
Cooperative Patent Classification codes for this invention. Click any code to explore related patents in that topic.
May 10, 2022
May 7, 2024
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.